Shipping Rust in Firefox

TL;DR: Starting with Firefox 48, Mozilla is shipping its first production Rust code, with more to come!

Mozilla ❤ Rust

It’s hard to believe it’s been almost seven years since Mozilla Research first began sponsoring the development of Rust, at the time little more than an ambitious research experiment with a small but devoted community. Remarkably, despite a long history of inventions and discoveries, Rust’s key principles have remained constant. The Rust core team’s original vision—a safe alternative to C++ to make systems programmers more productive, mission-critical software less prone to memory exploits, and parallel algorithms more tractable—has been central to Mozilla’s interest in backing the Rust project and, ultimately, using Rust in production.

An equally promising development has been the fact that Rust’s safety and modern features are attracting new people to systems programming. For Mozilla, where community-based development is quite literally our mission, widening our circle is vital.

So I’m pleased to mark an important milestone: with Firefox 48, Mozilla will ship our first Rust component to all desktop platforms, and with Android support coming soon.

Building Rust into Mozilla’s media stack

One of the first groups at Mozilla to make use of Rust was the Media Playback team. Now, it’s certainly easy to see that media is at the heart of the modern Web experience. What may be less obvious to the non-paranoid is that every time a browser plays a seemingly innocuous video (say, a chameleon popping bubbles), it’s reading data delivered in a complex format and created by someone you don’t know and don’t trust. And as it turns out, media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in Web browsers’ implementation code.

This makes a memory-safe programming language like Rust a compelling addition to Mozilla’s tool-chest for protecting against potentially malicious media content on the Web. For this reason, Ralph Giles and Matthew Gregan built Mozilla’s first Rust media parser. And I’m happy to report that their code will be the first Rust component shipping in Firefox. For the Rust community as well, this is a real achievement: Rust code shipping to hundreds of millions of Firefox users. Our preliminary measurements show the Rust component performing beautifully and delivering identical results to the original C++ component it’s replacing—but now implemented in a memory-safe programming language.

Firefox telemetry data showing zero issues in over a billion uses of the new Rust code.

More to come!

Many people deserve huge thanks for getting us to this point. Ralph Giles and Matthew Gregan implemented the component, and Nathan Froyd, Nick Nethercote, Ted Mielczarek, Gregory Szorc, and Alex Crichton have been instrumental in integrating Rust into the Firefox build and tooling system and ensuring it can ship on all of our platforms.

24 comments

Felix Schwarz

Does that mean that rust is now a mandatory requirement for building Firefox? Just asking because some distros (i.e. Fedora) don’t have a rust compiler in their repos yet so they might need another nudge.

The rust distribution binaries from rust-lang (at least installed through the script mentioned on the downloads page) supports installing into your home directory (and adding it to path), so it shouldn’t be much of an issue

My point was less building Firefox myself but more about the distro provided Firefox. Fedora (and at least Debian) will not use any pre-built binaries (e.g. precompiled rustc) to build Firefox. The only exception might be the initial compilation of a rustc package.

However I think it is good for Linux distros that the rust code is not mandatory yet so they don’t have to rush getting rust in (although I certainly welcome the addition of rust distro packages and I *really* appreciate Mozilla’s work/funding for rust).

We have active discussions from the Rust side on getting the rust compiler into all of the major Linux distributions. There’s definitely some complexity there, but the Rust community is working hard on doing it before Firefox would require Rust to build by default.

Congrats – a great advance, in fact – quite possibly one for the history books.

Code that doesn’t have to be debugged ad nauseum is absolutely worth more effort – in fact a lot of more effort – but I’m sure we’re all still curious:

How difficult was it to match the speed (of the previous code?) (As opposed to get a competent, working module.) How difficult was it to get that last 10% of speed?

How fast or slow was development, in general, compared to C++ and will experience (and possibly better tools) be able to slash those times? (No doubt extra care and checks were necessary this first time.)

The speed of this particular component is not on the critical path, and Rust was able to immediately match the performance of the C code, so far as we could tell from the automated tests. That said, we’ve certainly seen that there are cases in Servo where our Rust code has required additional work (e.g., inlining hints to the compiler) in order to get the performance of similarly-hinted C++ code.

The development time has been similar, but there is definitely some additional ramp-up time for new Rust developers. Nearly everybody struggles initially with “the borrow checker” (https://doc.rust-lang.org/book/references-and-borrowing.html), a key piece of the Rust type system and its static guarantees, but that certainly seems to pay out in a lack of debugging use-after-free or out-of-bounds memory accesses later!

One bit of extra unanticipated work here was debugging thread creation. In Rust, it’s very easy to safely spawn threads and do the work in them. However, Firefox sometimes runs on older machines with very little memory and we had to write additional code to handle the case where there is not even enough memory left to spawn a thread! This was an interesting challenge in writing Rust code for a production system that we hadn’t encountered (yet) in other projects.